IT Governance, Risk, and Compliance » EDI

IT Hardware Validity Checks – Part IV

Robert Davis — Wed, 22 Aug 2012 00:49:41 +0000

Some IT configurations are capable of assigning whole sections of memory for prescribed operations, programs, and/or data. These assigned sections of memory can be protected by a hardware address validity check. This type of control is also known as storage protection.

Address validity checks are also used in disk drives. When employed, firmware commonly compares the address on a disk pack requested in a write instruction with the set of valid disk storage locations.

Verification constraint of an IT hardware validity check

Where installed, the IT hardware validity check compares each action with the set of rules to ensure that it is indeed appropriate. Nevertheless, the limitation of an IT hardware validity check is that it will not detect an error when a valid symbolic representation is recorded improperly in place of another symbolic representation during data entry or transmission.

Sources:

Davis, Robert E. IT Auditing: Assuring Information Assets Protection. Mission Viejo, CA: Pleier Corporation, 2008. CD-ROM.

Boritz, Efrin J. IS Practitioners’ Views on Core Concepts of Information Integrity. Rev. ed. Ontario: University of Waterloo, 2004. 9

Gleim, Irvin N. CIA Examination Review. 3rd ed. Vol. 1. Gainesville, FL: Accounting Publications, 1989. 284

Watne, Donald A. and Peter B. B. Turney. Auditing EDP Systems. Englewood Cliffs, NJ: Prentice-Hall, 1984. 232-3

“View Part I of the IT Hardware Validity Checks series here”

Post Notes: “IT Hardware Validity Checks – Part IV” was originally published through Suite101.com under the title “IT Hardware Validity Checks”.

IT Hardware Validity Checks – Part III

Robert Davis — Fri, 17 Aug 2012 23:59:30 +0000

Validity checking of datum passed to peripheral devices

A data validity check compares characters or fields that are written or read with a set of all valid characters or fields. It is particularly useful technique with peripheral devices such as printers. For example, a printer may be limited to a certain number of characters. Consequently, if there where sixty-four characters associated with a print drum the data validity check would accept data containing any of the sixty-four characters as valid, yet would reject data representing other characters considered invalid.

Validity checking of storage location addresses

IT memory has designated storage addresses that can be accessed. CPUs utilize control units to keep track of addresses associated with the IT configuration. The address validity check compares the memory address requested with the list of valid addresses to detect an invalid request.

Sources:

Davis, Robert E. IT Auditing: Assuring Information Assets Protection. Mission Viejo, CA: Pleier Corporation, 2008. CD-ROM.

Boritz, Efrin J. IS Practitioners’ Views on Core Concepts of Information Integrity. Rev. ed. Ontario: University of Waterloo, 2004. 9

Gleim, Irvin N. CIA Examination Review. 3rd ed. Vol. 1. Gainesville, FL: Accounting Publications, 1989. 284

Watne, Donald A. and Peter B. B. Turney. Auditing EDP Systems. Englewood Cliffs, NJ: Prentice-Hall, 1984. 232-3

“View Part I of the IT Hardware Validity Checks series here”

Post Notes: “IT Hardware Validity Checks – Part III” was originally published through Suite101.com under the title “IT Hardware Validity Checks”.

IT Hardware Validity Checks – Part II

Robert Davis — Wed, 15 Aug 2012 00:34:47 +0000

Information validity implies data elements represent real conditions, rules or relationships rather than physical object characteristics. IT hardware validity checks are preventive and/or detective control measures that should be implemented to ensure appropriate data processing. There are three primary types of IT hardware validity checks: operation validity, data validity, and address validity.

Validity checking of operation codes within the Central Processing Unit (CPU)

Each computer has a recognizable instruction set (e.g. Reduced Instruction Set Computing (RISC)) with a designated code for each instruction, such as addition, subtraction, multiplication, and division. The operation validity check will signal an error condition if, during execution, a program attempts to process an invalid instruction.

Sources:

Davis, Robert E. IT Auditing: Assuring Information Assets Protection. Mission Viejo, CA: Pleier Corporation, 2008. CD-ROM.

Boritz, Efrin J. IS Practitioners’ Views on Core Concepts of Information Integrity. Rev. ed. Ontario: University of Waterloo, 2004. 9

Gleim, Irvin N. CIA Examination Review. 3rd ed. Vol. 1. Gainesville, FL: Accounting Publications, 1989. 284

Watne, Donald A. and Peter B. B. Turney. Auditing EDP Systems. Englewood Cliffs, NJ: Prentice-Hall, 1984. 232-3

“View Part I of the IT Hardware Validity Checks series here”

Post Notes: “IT Hardware Validity Checks – Part II” was originally published through Suite101.com under the title “IT Hardware Validity Checks”.

On 07/27/2012, Robert E. Davis, MBA, CISA, CICA accepted an invitation to join the ITKnowledgeExchange Advisory Board.

IT Hardware Validity Checks – Part I

Robert Davis — Sat, 11 Aug 2012 00:36:37 +0000

IT hardware validity checks are preventive and/or detective control measures that should be implemented to ensure appropriate data processing. An important component of enabling information integrity is sustaining data and task validity. Within this context, the purpose of an IT hardware validity check is to assist in ensuring that infrastructure processing activities are appropriate actions. Whereby, an appropriate action is one that conforms to a set of authorized rules that are considered to be correct or reasonable.

Determination of the validity of an IT hardware action is something a redundancy check is unable to perform. However, in conjunction with redundancy checks, validity checks provide considerable certainty that hardware processing and transfer of datum will be complete, accurate and creditable.

Sources:

Davis, Robert E. IT Auditing: Assuring Information Assets Protection. Mission Viejo, CA: Pleier Corporation, 2008. CD-ROM.

Boritz, Efrin J. IS Practitioners’ Views on Core Concepts of Information Integrity. Rev. ed. Ontario: University of Waterloo, 2004. 9

Gleim, Irvin N. CIA Examination Review. 3rd ed. Vol. 1. Gainesville, FL: Accounting Publications, 1989. 284

Watne, Donald A. and Peter B. B. Turney. Auditing EDP Systems. Englewood Cliffs, NJ: Prentice-Hall, 1984. 232-3

Post Notes: “IT Hardware Validity Checks – Part I” was originally published through Suite101.com under the title “IT Hardware Validity Checks”.

IT Audit Fieldwork: Generally Accepted Processes – Part IV

Robert Davis — Mon, 25 Jan 2010 16:35:42 +0000

Collection of sufficient evidential matter required for compliance with the third generally accepted standard of audit fieldwork affects the IT auditor as to the type of evidence to be collected and as to the means of acquisition. For example, types of evidence may change because of source document eliminations and/or substitution of electronic data interchange (EDI) formats for processing transactions. Whereas, for example, the means of acquiring evidence may change because the auditor may have to substitute a computer and programs for the visual scanning performed with a manual system.

“View Part I of the IT Audit Fieldwork: Generally Accepted Processes series here“

Electronic Commerce – Part IV

Robert Davis — Tue, 26 May 2009 18:14:01 +0000

EDI is commonly defined as the transfer of data between different companies utilizing networks. For the vast majority of entities, enhanced transactional traceability, reliability, and accessibility are derived EDI benefits; but without appropriate controls, communication interdependency can elevate legal, security and operational risks. As an accepted remedial risk measure, public key infrastructure (PKI) is the primary technological resource permitting E-commerce portable trust. However, to achieve E-commerce security transparency requires an appropriate trading partner compatibility solution that addresses various entity-centric encryption and digital signature techniques.

“View Part I of the Electronic Commerce series here“

Electronic Commerce – Part III

Robert Davis — Fri, 22 May 2009 19:00:10 +0000

EDI between trading partners can be interpreted as legally binding contracts. For instance, when a transaction is initiated by one of the trading partners, such as a purchase order, it constitutes an “offer”. In turn, if a trading partner agrees to supply the merchandise requested, it normally is considered “acceptance” of the offer. Thus, interpretively, under the U.S. Uniform Commercial Code a contract between buyer and seller is established.

Regarding effective security, two topics have gained notoriety: managerial ease and portable trust. Managerial ease focuses on making the security infrastructure’s integration and utilization with various applications transparent to enable adoption by trading parties. Portable trust supports telecommunication links with external parties through faith in resource authorizations and reliable message delivery. Inadvertent data loss during transmission reduces the cost savings generally associated with EDI deployment. Furthermore, message integrity issues can jeopardize connectivity status.

“View Part I of the Electronic Commerce series here“

Electronic Commerce – Part II

Robert Davis — Tue, 19 May 2009 19:52:11 +0000

Delineated, B2B is E-commerce between discernibly distinct entities. B2B links enable the exchange of products, services, or information between entities. Cascading down, Electronic Data Interchange (EDI) methodologies are the precursors and pillars of Internet integrated B2B relationships. Depending on activity frequency and application, EDI control risk can become material. Where EDI is implemented, lack of direction, reliance on third parties, and system dependencies potentially expose an entity to additional legal, security, and operational risks.

“View Part I of the Electronic Commerce series here“